The Byte of Technology Concentration
For years, cybersecurity headlines have focused on the threats posed by intentional attacks.
But a global IT incident that caused millions of Microsoft operating systems to crash this summer was due to an error in a routine software update rather than a malicious act.
Reaction to the CrowdStrike outage varied widely: some highlighted the resilience demonstrated by many affected companies that resumed critical operations quickly; others warned the outage was a preview of potentially catastrophic future events. But there was little disagreement that it demonstrated the risks associated with technology concentration, a type of supply chain risk.
Technology concentration refers to widespread reliance on a limited number of technology platforms or providers. Disruptions caused by operational failures or cyber attacks can lead to widespread operational interruptions and cascading failures across dependent organizations, sectors, or countries.
Now insurers, bureaucrats, and boardrooms worldwide must ask themselves how much concentration risk is too much. For businesses, the answer depends on their risk appetite—determining which risks to accept, mitigate, or transfer. For governments, the answer is less clear.
What Will Businesses Learn?
The outage was an unwelcome reminder to the private sector that digital risks extend beyond ransomware and other headline-grabbing malicious cyber incidents. Reliance on a small number of technology providers and platforms can create systemic risks, such as supply chain disruptions and increased chances of large data breaches from centralized repositories. Many companies try to mitigate these risks by diversifying their providers; but this can be challenging in the cybersecurity market, where 15 companies account for over half of the available products and services.
With limited diversification options, businesses transfer some of their financial risks to insurers. Cyber coverage is already one of the fastest-growing markets within the insurance industry, driven in part by a dramatic increase in the frequency and severity of cyber crime. The CrowdStrike outage is expected to drive more businesses to seek insurance policies that cover the financial consequences of both criminal and unintentional events.
Of course, an important prerequisite to transferring risk is understanding it. This can be challenging for many small and midsize businesses (SMBs) that lack the technological expertise and resources to assess their risk. Brokers are well-positioned to advise SMBs and help them find insurance-related resources to quantify and improve their digital risk.
Businesses will have to mitigate whatever risks they identify but choose not to transfer or accept. Following the CrowdStrike outage, many firms will enhance their risk mitigation protocols, including ensuring incident recovery plans feature cyber disruption scenarios that draw on lessons from July 19. One key lesson is understanding why certain companies within the same sector, facing seemingly similar challenges, had dramatically different recoveries.
For example, recovery among airlines was mixed. Delta Air Lines struggled while American Airlines appeared to meet the moment. During the first three days of the outage, Delta consecutively canceled 1,207, 1,208, and 1,386 flights per day, compared to American’s total daily cancellations of 408, 50, and 92.
American Airlines COO David Seymour credited the company’s recovery to its ability to assemble operating teams and experts to execute a recovery plan within an hour of the outage. Meanwhile, the U.S. Department of Transportation is investigating Delta Air Lines’ response to the outage.
This lesson is powerful: cyber insurers have long maintained that having and practicing an incident response plan strongly predicts a firm’s ability to recover quickly from a disruption.
Beyond the transportation sector, the financial services sector will also learn from this incident as several large banks were affected. John Carlson, senior vice president for cybersecurity regulation and resilience at the American Bankers Association, expects the outage to elevate the industry’s focus on mitigating risks from technology concentration. He believes financial institutions are likely to integrate more “robust third-party risk management programs to oversee critical providers.”
Brett Callow, managing director for cybersecurity and data privacy communications at FTI Consulting, warns, “It’s critical that organizations do not view this incident as a one-off. There could very well be other similar events, and organizations should prepare as best they can for that possibility.”
Governments Weigh Risks
Governments will have different perspectives from the private sector regarding how much concentration risk is too much.
Government interest in cybersecurity events and related supply chain disruptions is driven by national security concerns—that those events can disrupt critical services and upend the economy. While the CrowdStrike outage fell far short of the catastrophic black swan event some have warned about, it illustrates the systemic risks associated with technology concentration.
The outage is on regulators’ radar. On the day of the outage, Federal Trade Commission Chair Lina Khan observed that system-wide outages stemming from a single event reveal how concentration can create fragile systems. Regulators are questioning how much interconnectivity and technology concentration risk is too much.
At the core of this conversation is a public policy tension between leveraging the benefits of economies of scale and minimizing risks associated with concentration. This tension isn’t limited to cybersecurity.
On Feb. 21, a ransomware incident at Change Healthcare disrupted healthcare supply chains and compromised one-third of Americans’ sensitive data. Congress lamented the massive and protracted impact of that event, with Republican Rep. Earl Carter of Georgia pointing to vertical integration and the resultant concentration of the healthcare supply chain as magnifying the incident’s impact. To minimize the fallout from future events, he vowed to “continue to work to bust…up” vertical integration across the healthcare system.
With 15 companies accounting for 62% of the global market in cybersecurity products and services, the CrowdStrike incident could reignite similar public policy debates. But the discussion will be thorny as regulators will have to weigh difficult trade-offs. On one hand, the public benefits from economies of scale when large cybersecurity companies can invest more in research and development, reduce prices by spreading fixed costs over a larger volume of services, and scale telemetry to stay ahead of cyber criminals. On the other hand, larger companies are more attractive targets for attack, and as we saw on July 19, concentration puts supply chains at risk from overdependence on a single provider.
Insurance is likely to be a part of any government-driven conversations on technology concentration risk. Beyond understanding the financial impact of the outage on the industry, policymakers want to know how cyber insurers protect themselves against aggregated concentration risk across their portfolio of insureds. There is also a history of policymakers pointing to cyber insurance as a potential impetus for improved cybersecurity hygiene across the private sector. By helping individual policyholders avoid and recover from hacks, insurance can simultaneously bolster economic resilience.
Even before the outage, U.S. and European regulators openly debated whether the insurance market could withstand losses associated with a catastrophic cyber-related event. In the United Kingdom, lawmakers seem to have decided, for the time being, to let markets manage themselves. In the United States, it remains an open question.